1. Technical Field
The present invention relates generally to improved method of managing digital keys used in cryptographic operations, and in particular, to a computer implemented method for securely managing these keys in a key repository.
2. Description of Related Art
The Internet is a global system of interconnected computer networks that use standards based protocols to serve a variety of content to billions of users worldwide. The World Wide Web, or Web, is one of the services communicated via the Internet. The Web is a collection of interconnected web sites, linked by links, which include Uniform Resource Identifiers (“URIs”). URIs are classified as Uniform Resource Locators (“URLs”), as Uniform Resource Names (“URNs”), or both. A URL resembles a person's street address while a URN functions like a person's name.
A URL has a syntax and includes the protocol used to transfer data (e.g., http:, https: or ftp:), a server name and domain name used to identify the address of the server containing a webpage, a directory and subdirectory on the server, and filename and file type of the content delivery unit. The form used for these URL addresses is protocol://servername.domainname/directory/subdirectory/fil ename.filetype. The websites located at the address identified by a URL may be a web page, image, video, or other type of content. A web browser is used to retrieve, present, and traverse the websites on the Web.
The Web has become a pathway for spreading malware and carrying out cybercrime such as identity theft, fraud, espionage and intelligence gathering. Websites on the Web are frequent sources of infection of personal computers by malware, spyware, worms, viruses, and other unwanted and/or dangerous programs. Because of the malware and cybercrime on the Web, many websites contain security features to attempt to prevent or reduce the risk of infection and criminal activity.
In response to this threat, secure methods of communication between a web browser and a website have been created such as the SSL secure socket layer and the HTTPS security protocol. However, such secure protocols are not secure unless both the web browser and the website can verify that the other is authentic and that the communication is secure from eavesdropping. Various measures have been developed to provide this security including a public key infrastructure and the use of private keys. A key may a digital alphanumeric value, often generated from prime numbers for use in secure cryptographic based network or internet communications, and may be either public or private in nature. Keys may be generated or used in pairs, either symmetrically or asymmetrically. Keys may be contained within a digital certificate or other type of certificate generated by a user and/or third party approver. A public key infrastructure has been developed by the web community to create, manage, distribute, use, store and revoke digital certificates. These digital certificates include information about a person or organization, a unique public key for that person or organization, and a digital signature from a third party certificate authority verifying the identity of that person or organization. In addition, a web browser user and a website may have private keys used for encrypting the communication between them. Internet standards such as transport layer security (TLS) utilize private keys to provide secure encrypted communications between web browsers and websites.
The various types of keys (e.g., public keys, private keys, digital certificates each containing a key, etc.) are typically stored by a web browser or a website in a repository in memory. However, this type of information needs to be stored securely to prevent third parties such as hackers from accessing that information. Often such a key repository contains multiple keys (including certificates containing keys) that are encrypted and hashed and stored in a secure or hidden location memory for future use. The encryption prevents hackers from using any private information read from the key repository in memory, and the hash helps verify that the key repository has not been modified by unauthorized personnel or otherwise tampered with in any manner.
There are various formats of key repositories used today. When running in Java™ (a machine independent software language) security certificates can be stored in a key repository called a keystore (Java is a trademark of Oracle Corporation in the United States and other countries). Java™ uses a keystore format called JKS that does not require real cryptographic services, a keystore format called PKCS-12 with cryptographic schemes to encrypt sensitive data, and a keystore format called JCEKS that uses a password based encryption scheme. A user may use multiple keystores or other types of key repositories with the same format or with different formats. For example, a user may store all certificates and/or public keys in one keystore such as JKS and private keys in a different more secure format such as JCEKS.
Some large organizations use a Tivoli Key Lifecycle Manager (TKLM) for managing keys and certificates across the many users of the organization. TKLM may utilize JKS and/or JCEKS keystores to securely store keys as well as the certificates containing keys.